EAP-TLS FAILING ON WIRELSS IPPHONE CP-7925G

nibinrodrigues · ‎01-24-2013

Hi all,

we had enabled the eap-tls authentication on our WIFI network. We are using Cisco ACS 1113 & Microsoft Certificate Server for this setup. Currently we are able to successfully authenticat EAP-TLS on computer, but the Phones are not registering the network.

On the ACS we are getting the following error.

"EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake".

Thanks

Nibin

prashant.gondaliya · ‎01-24-2013

Hi Nibin,

You must have to install Root CA (Authentication Server CA) and user Certificate to Cisco Wireless 7925G IP Phone for EAP-TLS authentication.

Please find following file for step-by-step certification installation process:

http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7925g/7_0/english/deployment/guide/7925dply.pdf

Thanks,
Prashant Gondaliya

Thanks, Prashant Gondaliya

nibinrodrigues · ‎01-26-2013

Dear Prashant,

Thanks for the reply. But I excately followed the same guide. My eap-tls authentication is working fine with laptops but while am trying to authenticate IPPhones am getting the following error in ACS.

EAP-TLS or PEAP authentication failed due to invalid certificate during SSL handshake

thanks

Scott Fella · ‎01-26-2013

That error means that the phones do not have a valid cert or a wrong type of cert to use with EAP-TLS.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

prashant.gondaliya · ‎01-27-2013

Hi Nibin,

There might be a reason to fail authentication due to mismatching following parameters on the certificates:

Please check following parameters on CA server certificate:

1. Common Name (CN)

2. Organization (O)

3. Organization Unit (OU)

4. City

5. State

6. Country

7. Key Size (1024/2048)

NOTE: Most probably concentrate on CN parameters format, where i was stuck in my case.

NOTE; Seconf most important thing need to be check phone Date and time.

Signing CA Server Certificate uploaded is in DER format only.

Thanks,
Prashant Gondaliya

Thanks, Prashant Gondaliya

nibinrodrigues · ‎02-12-2013

Dear all

Thanks for your reply. Actually the setting is working for Laptops only issue with Wireless IP Phones.

Please find the logs from Cisco ACS. I followed the deployment guide for IP Phone.

AUTH 02/10/2013 13:29:58 I 0000 1756 0xb CryptoLib.SSLConnection.pvServerInfoCB - Process TLS data: SSL state=SSLv3 read client certificate A

AUTH 02/10/2013 13:29:58 I 2009 1756 0xb EAP: EAP-TLS: Handshake failed

AUTH 02/10/2013 13:29:58 E 2255 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL recv alert fatal:bad certificate

AUTH 02/10/2013 13:29:58 E 2258 1756 0xb EAP: EAP-TLS: ProcessResponse: SSL ext error reason: 412 (Ext error code = 0)

AUTH 02/10/2013 13:29:58 E 2297 1756 0xb EAP: EAP-TLS: ProcessResponse(1519): mapped SSL error code (3) to -2198

AUTH 02/10/2013 13:29:58 I 0526 1756 0xb EAP: EAP-TLS: Unknown EAP code Unknown EAP code

AUTH 02/10/2013 13:29:58 I 0366 1756 0xb EAP: EAP state: action = send

AUTH 02/10/2013 13:29:58 I 1151 1756 0xb [AuthenProcessResponse]:[eapAuthenticate] returned -2198

AUTH 02/10/2013 13:29:58 I 1198 1756 0xb EAP: <-- EAP Failure/EAP-Type=EAP-TLS (identifier=7, seq_id=7)

AUTH 02/10/2013 13:29:58 I 5501 1756 0xb Done UDB_SEND_RESPONSE, client 50, status UDB_EAP_TLS_INVALID_CERTIFICATE

Thanks

Nibin Rodrigues